It is common for companies and other organizations producing computer software (“software implementers,” or simply “implementers”) to apply cryptographic signatures to their software's code. Those who receive code signed in this way can verify the signature, and by doing so confirm that (1) the implementer is the source of the code, and (2) the code is unchanged from when it left the implementer's control, and thus hasn't been manipulated to produce incorrect results, compromise the security of computer systems on which it runs, etc. In some cases, computer systems are configured to install only code having verified signatures by implementers in a list of trusted organizations.
The cryptographic signatures used for this purpose typically involve an asymmetric key pair generated for the implementer. The key pair includes a private key that the implementer uses to produce cryptographic signatures and keeps secret, and a corresponding public key that is published on the implementer's behalf to enable others to verify signatures purportedly made by the implementer.